[Snort-users] Garbage in snort logs

Martin Roesch roesch at ...1935...
Tue Jan 8 20:02:04 EST 2002


Do you have a reliable way to reproduce this, and if so can you capture
the packets and send us a sample so we can debug the problem?  This
sounds aweful weird.

     -Marty

russell wrote:
> 
> I have made some progress in working out what is going on.  I now have
> two snort sensors working in parallel so I can twiddle the config file
> of one and see how the logs compare to the 'standard' config.
> 
> I have now established that commenting out the 'preprocessor
> stream4_reassemble' has the affect of not logging the packets with MAC
> address 0. I.e. I don't get alerts at all for these events when the
> reassembling is not enabled.  This suggests that the problems are
> occurring in the reassembling code.
> 
> I tracked one alert that was logged by the snort instance doing
> reassembling and not logged by the other. I veirfied from our argus logs
> that there was a session at this time with the logged port numbers but
> we failed to find anything in the web server logs that matched the
> logged content of the packet (an attempt to execute command.exe by
> escaping from _vti_bin).
> 
> This suggests to me that there is packet corruption taking place in the
> packet reassembling *before* the pattern matching takes place and that
> packets from different tcp streams are being mixed. From the look of the
> data in the logged packets I would guess that some length are not being
> correctly set so the data from some previous packet gets appended.
> 
> --
> Russell Fulton, Computer and Network Security Officer
> The University of Auckland,  New Zealand
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...1935... - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org




More information about the Snort-users mailing list